


The Basics of Information Security

by fresne



Category: The Murderbot Diaries - Martha Wells
Genre: Gen, ISO 27001, Information Security Concepts, Teen for references to past violence because Murderbot
Language: English
Status: Completed
Published: 2020-12-04
Updated: 2020-12-04
Packaged: 2021-03-10 06:08:46
Rating: Teen And Up Audiences
Warnings: No Archive Warnings Apply
Chapters: 1
Words: 7,843
Publisher: archiveofourown.org
Story URL: https://archiveofourown.org/works/27869717
Author URL: https://archiveofourown.org/users/fresne/pseuds/fresne
Summary: The fundamental principles of InfoSec are pretty simple......actually this may make more sense if I break it down. Humans understand things better when principles are told in a story (this has no relationship to how I understand things no matter what ART says).Or how Murderbot ends up giving a teaching module on Information Security concepts because humans are bad at security. Some small avoidance of the word relationship or feelings.
Relationships: Asshole Research Transport & Murderbot (Murderbot Diaries)
Comments: 25
Kudos: 100
Collections: Yuletide 2020





	The Basics of Information Security

**Author's Note:**

  * For [skatzaa](https://archiveofourown.org/users/skatzaa/gifts).



> Thanks to my ever helpful beta capriciousK.

On our first mission I experienced three catastrophic dips in performance reliability requiring a shutdown (which no matter what ART says does not always happen), leaked all over several commercial docks and access corridors on BarHyfaBlu station, ART was a complete asshole about everything, and we accomplished what we set out to do. So there was that. Afterwards, I could have gone back to Preservation, but I would have had to travel through several Corporate Rim stations, and it just made more sense (ART had made flow diagrams) for me to stick around on ART for one of its teaching missions.

This meant ART dumped all sorts of information in my feed about interfacing with adolescent humans, but I have watched every episode of  _ Sweet Station High _ . 

Anyway, how I ended up teaching an Information Security module to humans was a bit more complicated than that, and kind of ironic since everything I learned about InfoSec came from watching edutainment programing on the entertainment feeds and not the company's education modules, which are cheap crap. Naturally, I was anxious about the whole thing and would rather have found something dangerous and shot the shit out of it, but ART insisted I'd do fine.

The fundamental principles of InfoSec are pretty simple: Information Security Policies (Of course, no human reads them and even if they read them, they forget what they read), Organizational Management (ART is everywhere and tries to organize everything, which is why it's a monster), Human Resource Security (don't get me started), Asset Management (knowing what assets you have), Access Control (managing who has access to those assets), Cryptography (something humans think they are good at and like all aspects of security, they are wrong), Physical and Environmental Security (what most people think about when they think SecUnit plus working environmental controls), Operations Security (don't fuck up your assets by failing to patch or upgrade them), Communication Security (that transmission is probably trying to fuck up your assets), System Acquisition and Maintenance (don't fuck up your assets while upgrading them), Vendor Management (corporations will try to fuck you over even if you have a contract, but read the contract), Incident Management (plan how to respond to attempts to fuck up your assets), Business Continuity (ensuring the assets you care the most about are secure even if something horrible happens, because inevitably it will), and Compliance (make sure you do what you say you're going to do in your policies, so never). 

… actually this may make more sense if I break it down. Humans understand things better when principles are told in a story (this has no relationship to how I understand things no matter what ART says).

##  Information Security Policies

So teaching mission. Cargo modules had been removed. Teaching modules and labs added. There were teaching staff gazing at deep space. There were adolescent humans being taught how to gaze deeply at deep space. There was deep space. Technically not the space we were in. We had to travel through space (several wormholes in the ring network and by extension several stations) to get to uncharted deep space. It all looks like deep space to me, but also I don't care. I sat in my favorite chair and watched media. 

ART cares very much about exploring deep space and talks about it - and teaching adolescent humans - a lot.

I told myself that I was on board for the media and personal convenience, and possibly to spend some additional time with ART when no one was shooting at me and ART wasn't threatening to delete friendly bots. I'd already learned several things on the last mission that I wasn't ready to analyze yet. 

Mensah had sent me a communication, and I analyzed it several times. It still said that I was welcome to return whenever I wanted or stay away as long as I needed.

So yeah. Teaching mission. I wasn't necessarily pretending to be human. I certainly wasn't pretending to be a security consultant who was pulled into every interpersonal dispute between the young adult humans on board. There were teachers and counselors for that. 

ART and I watched a lot of media. I tried not to patrol its corridors and failed, but I could watch media while doing that so it was fine. 

Until the InfoSec class, which just to be clear was not my idea. It was also not, surprisingly, ART's idea either. 

"Well, you are a security expert," said Seth, who technically was ART's captain, but given ART that was more of a pity title. 

"I am a SecUnit." I didn't say Murderbot, because that's my name and my name is private, and I was still getting to know ART's crew. They hadn't abandoned me yet, so that was a mark in their favor.

"So... inherently, you're an expert in security," said Seth.

He wasn't wrong that I was inherently better than a human, but that's a pretty low bar.

"SecUnit is extremely proficient in security scenarios," said ART piping into our feed like a rude, bossy, interfering, giant construct with nothing better to do than interrupt conversations while performing complicated calculations navigating us through wormholes. Then ART topped it off by saying, "For an advanced bot."

I sent the equivalent of a rude human gesture into our private feed, which ART ignored.

"After the incident on NuNuYark station, I'd really like to improve on our security awareness training." Seth paused. "The regular crew are fairly aware, but…"

This seemed to be a good place for a person to sigh, so I sighed with what 35,000+ hours of media told me was a great deal of expressiveness. I'd discovered over the last several months that I liked sighing at conversational points like that and had built an algorithm to maximize it. 

NuNuYark had been a cluster-fuck with one faculty member (we'll call them RTFMClient1) who had theoretically read the mandatory Acceptable Use Policy (AUP), which clearly stated that if personnel were going to access the University feed from unsecured locations (such as say a restaurant in an overly expensive hotel on a station transit hub before heading out into deep space), they were supposed to use a private line and not just communicate in the clear on a hotel feed. Certainly, not while holding their pad angled so half the cameras in the restaurant could clearly see the display.

While other faculty (we'll call them RTFMClient2), who had also in theory read the AUP, knew that if he was going to access University data from his personal devices, he needed to not download that data to those personal devices and should by extension try not to lose those devices while using a public tube.

While other faculty (we'll call them RTFMClient3), still theoretically capable of reading, knew not to post to her social feed about the proprietary information (like SecUnit on the research vessel), which meant every Corporation data mining the social feed (which is to say all of the ones with a presence on station: GenKral, TalTani, and Palisade Security, who like when the colony solicitor's evil clone showed up in episode 245 of  _ The Rise and Fall of Sanctuary Moon _ had turned up where no one wanted them) decided there must be something valuable going on onboard the transiting teaching vessel and decided to do their best to steal every byte of information that the faculty was dropping everywhere. 

Then there was the teaching assistant (RTFMClient4), who failed to follow protocol when visiting a Corp Rim station and failed to log their visit plan (actually I understood that one to a degree given ART) and almost didn't make it back on board, because Corporations are greedy (in this case GenKral specifically) and inclined to kidnap people. But no matter how incapable of following policies, the TA was a client and ART's crew (for the duration) and we couldn't let them stay kidnapped.

Also, the student (InexperiencedClient1) who failed to follow the AUP's clear direction not to download any unauthorized plugins for her university-provided interface that theoretically would give her more mods in her feed, but was actually malware. 

Anyway, in answer to my sigh, Seth sighed back. I could see from my drones that he was looking at me sympathetically. I do appreciate how the recent turn in my life towards freedom means I can commiserate about humans' tendency for dumbassery. 

"Excellent, you're getting to know my crew better already, and you would do an excellent job teaching core InfoSec concepts," said ART looming in my feed and speaking in an eerily cheery voice I recognized as the principle from  _ Sweet Station High _ and it knew I would. 

This was where I needed to have access to the same technology as in  _ Time Stream Defenders Orion _ and time loop out of it, but somehow I said yes. Technically the InfoSec policy says everyone gets trained on InfoSec concepts, which generally means humans read the AUP and then forget everything in it, but we were going to do something different. Joy.

Also, I'm not kidding about the time loop equipment would have been useful just then.

##  Organization of Information Security

"But you like ART? Like, like like it?" asked Turi, one of ART's permanent humans. 

I parsed that question for 5 seconds, which trust me is a long time for a bot.

"They mean are we romantically entangled," said ART unhelpfully over the teaching modules' coms.

Ewww was my most immediate response. Also, no thank you. No thank you. No. Also, I wanted to quash any conversation like that at the beginning of the cycle. Also, I wanted a wormhole to open up under me like in episode 78 of  _ Worldhoppers _ . Also (also there were far too many alsos) murder was not the answer here even though I felt like it might be. "I have less than null interest in interfacing with ART… Peri in…" I paused because I wasn't even sure how Turi imagined that would work, "that way." and left it to the human to imagine what the words "that" and "way" meant. 

Of course, since we were inside ART, the other presence in the room was the giant construct hovering behind me breathing over my shoulder. Well, other than not breathing. Although I had noticed that ART had upped the HVAC vent over my head by 5 percent so ART was in a certain way breathing down my neck, and yes that was a percent for every second that I'd paused in horror.

I moved a foot to the right, which at least took care of that problem.

This by the way has nothing to do with the Organization of Information Security, which is all about assigning roles for who does what, and contacting relevant authorities when something goes pear shaped. Also, ART is a bossy monster who wants to control everything and had probably put Turi up to the like-like question. Thinking about which caused my performance reliability to go down by 5 percent. 

I therefore did what I always do in this sort of situation; ignored the discussion and asked Iris to explain the segregation of duties in InfoSec.

She answered, "SecUnit is responsible for InfoSec, and is a boss at keeping its clients safe. ART is the boss in which we all travel. Humans are just along for the ride and should try not to screw things up." She made a complicated gesture with her dominant hand. I could understand why ART liked her.

As to contacting relevant authorities, mostly they get in the way. 

Although, given that after I leaked all over the access corridors on NuNuYark, the fact that I pinged Seth meant he stopped ART from deleting the GenKral SecSystem and HubSystem while I did my job, and we'd actually left the station without anything exploding.

##  Human Resource Security

ART was clutching its functions and getting up in my feed. This time about the intersection of deep space telemetry and human resources. 

We'd picked up a consultant on NuNuYark, which according to ART wasn't all that unusual.

ART said, "I've already completed a thorough review of Dr. Bensah's history and beyond a flirtation with (skipping over a discussion of public bodily functions that humans who are both adolescent and under the influence of mood altering chemicals engage in that was horrifying), he has an exemplary career in astro-cartography." Then because ART is a jerk, they dumped the entirety of Dr. Bensah's publication record into my feed, which since I'd never had a module on deep space mapping (it would have been crap and pointless if from the company, and excellent if still pointless if from ART's university) told me that Dr. Regiford Bensah liked big words and not enough graphs when talking about wormholes. Also, I don't care. 

Since my risk analysis hadn't actually identified a specific point of concern for ART's crew from their temporary teaching contractor for riveting deep space mapping (that's a lie, but it wasn't any more crushing boredom than guarding a mining station - and with the students learning about deep space mapping not even completely dull), it wasn't as if I could point to a specific problem. Also, I've learned to be careful or ART will completely overreact. "I'm still completing my analysis."

"Why do you think there will be an issue with Dr. Bensah? What data is your analysis based on?" because ART can't just let me do my job. "His contract with our mission predates anything that occurred on NuNuYark."

"I said, I'm still completing my analysis," I repeated, which wasn't going to work to make ART back off and let me process. After all, the real problem was I'd spent three cycles cleaning up after humans, and several Corporations were very interested in just what the University was up to (ironic because at that time it really was just deep space research), and look a new human being added to the crew compliment just before we went off into that deep space. Right after a mission that corporations shouldn't know anything about. A new human who was an adjunct professor from a Corporate Rim teaching facility that specialized in grinding out new indentured techs.

I am paranoid by design. Depressed and anxious by accident. I was programmed by humans and am therefore a complete mess.

After 1.3 seconds ART said, "He doesn't have tenure."

"Which means?" I asked, because it might actually be relevant.

"You might be right." I sent code at ART that was the equivalent of rolling my eyes.

I continued to monitor Dr. Bensah through ART's cameras, which would have been better without ART complaining that it was more than capable of monitoring all the crew, faculty, and students. We also started a new series,  _ Space Monkeys from the Andromeda System _ , which ART assured me was ridiculous because Andromeda was a galaxy. I was fairly certain that what was ridiculous about the show wasn't that Andromeda was misidentified. 

It's also not entirely true that I left all discussion of personal problems to the University counselors, but it was a ship safety problem when I ended up talking to a student who was considering a drastic - given how fragile humans are - resolution for her life. We talked about mind numbing anxiety and depression for ninety minutes until she was ready to leave the airlock and a counselor with actual training from a non crap medical module was there to talk to her. 

ART had been running clips from  _ The Rise and Fall of Sanctuary Moon _ the entire time. I didn't thank it, because ART was the reason I'd known to go into the airlock, but queued up an episode of  _ Worldhoppers _ , so it was all good.

##  Asset Management

I knew exactly how many crew members ART had: 8. I knew exactly how many teaching staff were on board:9, plus the 2 counselors (what would possess a person to take this up as a career was incomprehensible and no matter what ART said I was not going to talk to one, especially while ART inevitably listened in and that was before the whole airlock incident). I knew how many students there were on board: 98. 

There was also the matter of the consultant. 

I do not know how many bots ART has on board. Each time I think I have an accurate count - it really is impossible to secure a location without an accurate inventory - ART turns out to have some new and as yet undisclosed asset, because ART is a secretive, lying construct. 

Such as astrocartographic buoys used to identify the stability of wormholes using some math and sensors stuff I don't care about. 

"You should have told me about the buoys," I told ART very reasonably. 

"I don't complain because you don't tell me about the connective relays in your left arm," said ART peevishly and quite unfairly. (There are very few parts of myself that ART hasn't repaired by this point). 

I turned on episode 38 of  _ Rise and Fall of Sanctuary Moon _ while running a diagnostic on my left arm, because I am that petty. I also reviewed my analysis of Dr. Bensah's activities. He was not an engineer nor did he have any speciality in equipment repair. Even if he was an expert in mapping the things the buoys help map, he had no reason to be handling them himself.

"I could flood the atmospheric mixture in his quarters with  Thiopental, which should make Dr. Bensah compliant with questioning," said ART.

This is why I have to be careful about what I say to ART.

"We're not drugging the consultant," I told ART. "The results from Thiopental are not that accurate." ART was ready to provide me with a massive data dump on Thiopental, which forced me to add, "I've seen it used," (during my pretending my governor module worked cycles - and obviously they hadn't used it on me and no, I don't want to talk about what happened next) "Unless you want to know about his personal life." I should have parsed before talking. ART wanted to know everything about everyone. 

Also, I was not going to talk to a counselor. Although, I did end up escorting Cytha (the airlock student) to a group discussion about depression to ensure that she went to the small group discussion and not another airlock, and then stayed to ensure that she stayed. I did not say anything, because I'd rather shoot myself in the face. I watched several episodes of  _ The Rise and Fall of Sanctuary Moon _ . There isn't that much media that focuses on anxiety and depression. Presumably because it's depressing. 

But to get back to Asset Management, it's all about figuring out what you have and then labeling whether it's a critical system or not, and what the risk would be if you were to lose the confidentiality, availability, and integrity of that asset.

After that all went down, I went to sit in my favorite chair on the control deck, and verified that I'd adequately backed up  _ The Rise and Fall of Sanctuary Moon _ and indexed that the full set was viewable and didn't have any errors. ART didn't tell me that it kept more than adequate backups. It also didn't tell RTFMClient2 where I was when he wanted to go on about NuNuYark, and all I wanted to do was pretend I was in a closet. 

I'd say that's it for Asset Management, but it's kind of related to all the other bits. 

##  Access Control

While on NuNuYark, I was able to find RTFMClient2's personal device by taking control of the HRSystem (Contrary to popular belief HR creates all identifiers not Security, which makes no sense. HR is full of humans who like people. Security isn't.) long enough to create a unique identification for myself as a security consultant, assign that ID the authorization I needed, then authenticated I was the me I'd just created to the humans analyzing the device and was given access to RTFMClient2’s (and the University's) data. At which point, I purged everything following the data retention and deletion policy of slag it to basic components.

ART thought I didn't create enough backstory, and added a social feed for me, but that was just overkill and I should know given I'm a Murderbot.

So that's the fundamentals of Access Control. Who are you? What are you authorized to do? How do you verify that you are you? Also, regularly reviewing who has been authorized to do what, and changing that access when humans change roles or leave.

Something in the way I explained that last part had InexperiencedClient1 wanting to get into a philosophical discussion on the nature of humanity and change, which ART encouraged, because ART likes to indulge adolescent humans, which sometimes is useful to me, but not just then. At that moment I had a task, which was teaching humans some basics about not throwing proprietary data around. Which is how ART and I got into a discussion in front of the students, which resulted in Turi saying, "It's like you're an adorable old married couple," which resulted in my performance reliability dropping to 87 percent (it had been a long class cycle) and I had to face the wall while I assigned the students a review of the basics of multi-factor authentication. 

Speaking of which, Dr. Bensah's was a contractor. He was not authorized to do anything beyond his actual contract, which I looked at and had nothing to do with buoys. 

Iris on the other hand is ART's favorite human, the captain's daughter, a member of the secret stuff that goes on onboard ART, and is therefore authorized to do a lot. 

To back up slightly, the reason why ART wanted to drug Dr. Bensah was once it powered the buoys up, there were no access logs indicating that they had been accessed by Dr. Bensah. However, the logs clearly showed that Iris had logged into the buoys multiple times and performed updates, which was unlikely since she hadn't been anywhere near the buoys. The logs also weren't updated at the same time Dr. Bensah had accessed the equipment bay, but there was also an indication that the buoys onboard time sync systems had been adjusted.

"What kind of human would do something like that?" asked the construct, who relied on correctly syncing subsystem timestamps for accurate sensory input. To say ART was horrified would be putting it mildly. 

I didn't remind ART that humans also like to ingest chemical stimulants and depressants (see also the skipped background on Dr. Bensah's adolescence). It would have been beside the point. I put on an episode of  _ Worldhoppers  _ while going to ask Iris about Dr. Bensah. 

She was happy to see me, which was… it was… I wasn't really ready for that. So I stared at the wall above her head and asked what she thought about Dr. Bensah. Unfortunately she got the wrong (and completely horrifying) idea that I was interested in Dr. Bensah for gross human reasons involving parts I do not have and do not want. Worse, she was just a bit sharp when she said, "I thought you liked Peri."

"ART is a monster, who cannot be trusted," I answered automatically to give myself time to think. Really the very idea of parts touching. Gross. 

Once we had determined that I did not want to place a dongle (again gross) in Dr. Bensah, we were able to determine that Iris' access dongle had been removed from her wrist unit during a lab incident with some water and a cephalopod (humans can have strange pets) and Dr. Bensah had been present. None of ART's systems relied solely on anything as weak as a passcode for authentication. However, a review of RTFMClient3's social feed showed that she'd posted very high resolution selfie pictures, including one with Iris, which included a clear view of Iris' retinas. 

An access dongle can be replicated if you have the right tech (though ART insists their dongles are perfect and unique - and really get your mind out of the gutter, because again eww). But with an access dongle (something Iris and now Bensah has) with a retina replicator (something Iris is and in this case could be faked), plus her personal access code (something Iris knows - don't even ask. Even smart humans are stupid about them) and Dr. Bensah had been able to access the buoys.

Theoretically. 

That's why ART was by this point more than ready to put  Thiopental in Dr. Bensah's air filtration system. Also, why I was thinking back to the principles of the Organization of Information Security. Fortunately, ART agreed that I was the expert on not uselessly drugging personnel to find out how and why they were fucking with us. I suppose I could say if, but my risk analysis on Dr. Bensah was in the 87 percentile, which is solidly in the high risk category. 

##  System Acquisition, Development and Maintenance

Once, when I was guarding a mining operation (to be clear I've spend a lot of cycles doing nothing particularly interesting) some administrators and engineers got the bright idea of modifying the MiningBots' something I don't care about to cut costs, but without running the update through the HubSec for Quality Assurance resulting in MiningBots that did a very good job destroying the habitat. I saved my clients and ended up in a box as a reward. That was an example of an intended, if complete crap, code update.

Unlike, for example, Ganaka Pit where the malware uploaded into the ComfortBots was intended to be uploaded into the LoaderBots and slow them down, but instead resulted in almost every bot in Ganaka Pit going on a rampage.

Sometimes there is very little difference from badly formatted code and malware.

"This code change doesn't change the function of the buoys," said ART having examined the changes to the code in every possible way.

I don't have ART's compute power, but I had to agree. I also had to wonder if ART was humoring me by making up an investigation. ART knew everything that happened on board. ART was capable of charting a path through a wormhole, calibrating life support for optimum comfort, performing surgery on three students who decided to take up rock climbing (really why) and plan a meal, while crunching through the data for patterns. There was simply no conceivable way that ART needed me to investigate anything. 

However, when I told ART that it said, "You're an idiot. A paranoid idiot. While I like to collect evidence before making plans for what to do, you are suspicious of everyone, and you're good at thinking the situation through." 

I wasn't quite sure what to say about that, so I went to stare at a wall while playing episode 68 of  _ The Rise and Fall of Sanctuary Moon _ while ART reported to Seth. Which unfortunately meant that I had to go report to Seth about what I didn't know yet. 

Fortunately, as someone seeking to overthrow the influence of corporations, Seth had a reasonable level of suspicion. He said, "Keep an eye on Dr. Bensah. All of this could be coincidental, but it's best to be sure. Report back if you find anything else. For now, let's reset all but one buoy to the previous code base, release all of them and see what data comes back." 

At which point I took back what I had said about Seth's reasonable levels of suspicion. 

##  Cryptography

I examined the encrypted code that Iris' friend Tala submitted for the Hackathon. Because she was Iris' friend and Iris was ART's favorite, I waited 8 seconds before explaining that I'd cracked it and the encryption was weak.

At least it was better than RTFMClient4's encryption, which might as well have been a transcription cypher in an old mystery. Like the short series  _ Habeas Corporate _ . 

"Tala, you did a good job," said ART reprovingly over my shoulder.

"Peri, what am I doing wrong?" asked Tala plaintively as if she was RTFMClient4, which she really wasn't.

Since she hadn't asked me, I didn't answer her. ART said in my feed, "Explain it to her," and outloud over the coms, "I'm sure your Sec Teacher could give you a pointer. It's implementation of encryption techniques are far in advance of most bots."

For some reason this had Tala smiling at me. Not that I was looking at her, but ART dumped an image of it in my feed. 

I told the wall, "Your encryption algorithm was complex, but static. That gave me an attack surface." ART made encouraging noises over the comms, which almost had me stopping right there, but I could somewhat see what ART saw in educating younger humans. 

Especially when she said, "Oh, you mean if I kept changing it like a felter ball, there wouldn't have been a way to reverse engineer it."

I had no idea what a felter ball was until ART dropped an image of one along with a completely unnecessary history of the sport into my feed. But it did mean I could tell her, "Yes." 

Also, after about three days of the buoys sending back extra galactic astronomic analysis of the wormhole, there was a tight beamed encrypted message back to the relay station, which ART jammed from going anywhere. 

ART cracked it like an egg and dropped the data in my feed.

I examined it and had to ask, "Really?"

ART replied, "I said he's not tenured."

##  Physical and environmental security

When most people think about physical security, they think about the sort of things SecUnits spend a lot of time doing. Guarding assets. Mostly bored while guarding assets. While being an asset. Patrolling. Physical security stuff.

Technically, threatening to fill Dr. Bensah's room with  Thiopental was a great example of Environmental Security, or rather a complete lack of it. Also, ensuring that the engines were maintained at the correct temperature and humidity was a good example, too.

RTFMClient2 resetting the temperature controls in a teaching suite, because he was cold, while offsetting the humidity, which could have damaged ART's internal density sensors, was an example of a failure of environmental security. After about thirty minutes of explaining what kind of damage he could have done to ART (and ART wouldn't even have said anything because RTFMClient2 was part of its temporarily extended crew and it had a strange blind spot about protecting the emotional whatever of its crew), RTFMClient2 apologized to ART.

ART tried to ruin the fear of me I'd put into RTFMClient2 by saying, "That's not necessary, I had things under control." 

But I had my drones spin around my head in a meaningful way, and RTFMClient2 apologized again. 

Then horrifically, Cytha, who was in the classroom said, "I love the way you stand up for Peri." At which point I fled, because there are limits to what a Murderbot can take. 

##  Communications Security

Back when we were on NuNuYark station (really just a complete cluster fuck), one of the students had received an urgent request from one their professors. Spelling errors. Obviously malformed feed address. An obvious phishing request. But they panicked and opened it. This led to their interface being infected with malware. Their interface in turn uploaded it to one of the modular lab spaces, and ART had to spend an entire cycle cleaning the lab.

Anyway, I sent an urgent request for a research peer review to Dr. Bensah from a professor at the university (my targeted phish did not have misspellings or an obviously malformed feed address, and ART added an actual paper for review). Dr. Bensah opened it, which led to Dr. Bensah's private interfaces being riddled with malware that I'd coded with ART (not a replica this time, just a little bit of code).

ART even agreed this was much better than drugging Dr. Bensah. 

##  Operations Security

I'd stopped getting company patches and updates after Mensah purchased me and I went fully rogue. As opposed to 35,000 hours of being a secretly rogue SecUnit while watching hours of media and still doing the same old horrifically boring and terrifying tasks. 

An unpatched SecUnit is a vulnerable SecUnit. Exactly the sort of thing I didn't want to think about while explaining to students (and several teachers - RTFMClients 1 to 4) why patching interfaces as soon as the patch is available is very important and not to be left for sixty cycles resulting in vulnerabilities to malware. 

I blamed ART.

Not that I could blame ART that I hadn't been able to hack the GenKral SecSystem because of my self-patched state and had had to hack the aquarium in the chief administrator's office to access the GenKral SecSystem. However, I've already upgraded my anti-malware systems from the cheap crap that the company initially installed. 

Of course, when RTFMClient1 expressed concern about my self-patched state, ART explained that it would be taking care of my patches and code upgrades itself, which I wasn't about to allow. Letting ART change my appearance and comment on my hair styling choices was bad enough. I wasn't about to let it take over patching. 

This led to another discussion (and Turi and Iris whispering about how cute we were) and this time I did not flee. This time I changed the subject, while ignoring ART on our private feed asking if I trusted it. 

I assume when Iris came to me later to say that she was worried about malware attacking my systems that was ART's revenge for my sending Amena to ask questions when it was having a meltdown over the whole alien infected humans deleting it and capturing its crew (and fine yes, I also had a meltdown, but that's not the point). I also found myself not vehemently rejecting that ART was concerned about me. I could feel ART lurking in the feed and watching us from its hidden cameras. I made a rude gesture in our private feed, and ART worryingly didn't respond. 

Anyway, that was how I ended up working with ART on my patches and upgrades. ART's a monster, I wasn't about to allow it to work on my inner workings alone. The fact that it didn't complain led me to think that this may be what it intended all along.

##  Supplier Relationships

There is a sacred phrase on the Corporate Rim. "It's in the contract." This isn't to say that a Corporation won't try to renegotiate the contract (say by having a SecUnit point an energy weapon at your head while you try to leave with data that said Corporation would like to become proprietary intellectual property ), but having a solid contract and reading it is a good idea.

I had no idea what Dr. Bensah's contract with TalTani was, but given he was supposed to be framing a crew member for some sort of interdicted behavior (like framing Iris so it looked like she played a prank with an  astrocartographic buoy and accidentally did some overly complicated plot thing that resulted in some ship going on an endless wormhole journey if they used that data, then enabling TalTani to use that frame as leverage for… something), it couldn't have been that well thought out. 

And anyway, based on his badly encrypted message and the data from his interfaces, unless it was a honeypot that contained a toplevel message to conceal an even deeper bit of data (ART said it wasn't, but I re-examined the message several times to be sure), he'd decided instead to double cross TalTani and instead slap their own private code in the buoy to test some theory I don't care about so that he could get proprietary information to trade to a university (any university) for tenure. 

This was where Seth sat Dr. Bensah down for a private conversation. Well, private… I was there to play bad cop and ART was omnipresent worst cop. 

Although, the honey pot paranoia gave me an idea.

##  Incident Management

There are several types of system controls involved in incident management. 

Deterrent controls. SecUnits are primarily Deterrents to keep staff and other corporations from stealing equipment or information, protect management from staff who have lost their shit and try to murder them, or keep the clients from getting themselves killed.

The way I deter targets trying to fuck up my clients/assets is to shoot things. A lot. Maybe discuss how I was going to remove the target's lungs and beat them with them. I've done it before. 

The way ART deterred targets that could fuck up their crew is to explain in incredible detail how it was going to slowly disassemble the relevant bot or human to ensure the consiousness was retained while being disassembled until it was time to attomize the body. 

Seth didn't believe ART was telling the truth. Humans like to threaten. Bots and constructs state facts. Admittedly ART and I lie a lot, but not about statements intended to convey the severity of the situation.

Dr. Bensah believed someone, but plaintively told us that he hadn't actually harmed Iris and went into I don't care detail about the change to the buoys that got ART and Seth excited for some reason, which wasn't the point.

The point was the honeypot message. Ours. This is what is known as a compensating control. Basically, something that compensates for something going catastrophically horribly wrong. Like someone hacking your system, but only getting the data in your honeypot. Another example of compensating control would be ART backing up their kernel and getting me kidnapped so I could restore their backup. So there is that.

There's also preventative controls like firewalls, access controls, encryption, etc. Detective controls like all of ARTs cameras or my drones watching everything that's going on around us, or the logs we'd used to figure out what Dr. Bensah had been doing. There's also recovery controls, which is how to get over an incident. When I understand that one better, I'll communicate it. I really don't always end up shut down and leaking over everything. 

##  Information Security Aspects of Business Continuity Management

Palisade Security had apparently decided that I was the SecUnit that got them on the Company's bad side. Which is a bit of a stretch. I can't be every SecUnit in every news story and social feed, and I don't make their choices for them. There is for that matter another SecUnit on Preservation watching planet side stuff that made my skin crawl. At least that was what Mensah had said in her last communication.

She communicated very regularly and her encryption, given I designed it for her, was top notch.

Anyway, Palisade, diminished but not destroyed after their little contractual problems with the Company, had decided to take a more direct approach than TalTani to get our secrets and sent a gunship through the wormhole to shake down the deep space research vessel with secrets and a SecUnit they wanted to disassemble with prejudice. 

I didn't like either plan. Those seemed like non-recoverable incidents.

So, to back up a bit, Business Continuity is about looking at what assets you have, figuring out which ones you can't survive without, and then protecting the shit out of those assets. The things you don't give a fuck about you don't do shit to protect, or in some cases do a half-assed job protecting, because you only kind of care. The InfoSec part is about ensuring that while you're making sure the assets you can't do without are safe, you also make sure that you aren't bleeding (or in my case leaking) proprietary information all over the place.

I had known since I met ART that its crew were assets that it couldn't do without. I'd been forced to come to the conclusion that even clients I didn't really care all that much about were non-negotiable in a protection sort of way. I also really couldn't ignore that ART had been ready and willing to bomb a planet for me. That ART’s crew regarded me as an asset not to be abandoned. It's just that thinking about it made me lose performance reliability to 85 percent due to emotional compromise. 

So, yeah, ART and I arguing over what to do about the gunship wasn't our finest moment. 

Especially since I knew that ART revealing that it is also a gunship by firing on another gunship (and possibly not destroying it since Palisade doesn't have to pretend not to be a gunship as well a research and occasional cargo vessel) wasn't a great way to keep a secret, and ART was equally insistent that I not put myself in danger of getting hacked by killware or shot by Combat Bots. 

Then RTFMClient3 attempted to be spectacularly dumb by going out in a shuttle to distract Palisde because, "This is all my fault," and "Peri shouldn't suffer for my mistakes," and some other things that made my biological bits feel strange and resulted in my losing performance reliability to 80 percent.

Fortunately, while she did figure out how to do a manual override for the shuttle bay doors, I moved my drones to block her from doing the permanent thing and then arrived myself to stop her, but more forcefully. It did give me an idea though, which after some consultation with ART we put into motion.

I thought some more about the Organization of Information Security, while I arranged several pathfinders on the surface of the shuttle, which we then launched and ART piloted as if someone was trying to escape. Naturally, Palisade shot and blew it up, and the pathfinders moved out of range just in time to avoid becoming debris, while hiding in the debris. 

Seth negotiated with the captain of the Palisade ship to stall them. Just as things broke down, the still very armed pathfinders drifted out of the shuttle wreckage, then flew up to the Palisade ship and blew up next to its engines, which meant it was now floating in space with minimal power. 

We then negotiated not to tell the entire Corporate Rim that a gunship had been disabled by a survey ship (and one owned by a university at that) if they would contractually agree to go away. Also, we didn't blow them up even more. 

Then, because ART and I had already been cooking up a honeypot, we sent a new encrypted message from (well, in theory since he was locked in a lab going over his buoy code change with Seth) Dr. Bensah with a honeypot for Palisade to decrypt and a different payload of falsified leverage for TalTani, which if Palisade cracked, it was fine.

The honeypot was I finally got to use my idea about a SecUnit purpose built for Universities. We even included some compressed footage of one of my classes. ART dropped data in my feed that it had already set up a social feed on PortFreeCommerce about the fake corp that custom built the university SecUnit. There were press releases, information on some of the available education modules, etc. All of which would provide cover that Dr. Bensah was stealing information about my design, and therefore making it seem less likely that I was every SecUnit in the news.

"When did you do this?" I poured over the frothy Marketing speak white papers.

"When you agreed to join me on our last mission," said ART. Then didn't say anything else, which was unusual for ART, but then the level of detail in how ART had built out my idea said more than enough.

As to the main payload, it was exactly what Dr. Bensah was supposed to have done. Without actually having done anything other than increase the accuracy of astro cartography or telemetry or really I didn't care. Although, I had some ideas about using the wormhole to nowhere concept as a way to disappear ships full of repossessed colonists while allowing TalTani and/or Palisade to think they had leverage to get proprietary information that wasn't worth crap.

##  Compliance

Which led me back to Seth asking me to give everyone a refresher on basic security concepts so we could improve compliance with the basics. 

"Fine. I'll do it." I hadn't intended to say that. I actually had to roll back my memory to be sure I had actually said it. Because willingly spending more time with humans seemed unlike me. For a moment, I had to wonder if I'd been hacked, but no. Just by myself.

ART wanted to help. By wanted to help, I mean designed an entire curriculum. We compromised on a seven cycle course with modules on the fundamental basics and some InfoSec activities: see who could ID the phish (and shame their fellow crew for falling to ID phish), a round of capture the digital flag (ART and I designed the user stories for the various flags - the students did pretty well), and a hackathon working on security ideas (most of them were crap, but there were a few interesting things that came out of it).

"You enjoy this," said ART smugly, which is its default sound other than sarcastic. "It's your function. Your function can be enjoyable."

I was enjoying it, but I wasn't going to admit it. Although, when we made our way back through NuNuYark, it was surprisingly incident free. So it was good to see that humans were capable of minimal recall and complying with the basics of information security for three cycles.

Also, after sending a message to Mensah, I decided to stick around with ART for a bit longer. After all, it had gotten word about a possible mission. Just the two of us. Watching media. Gathering intel to destabilize corporations. No humans using the word relationship or cute or married couple. Just a bot and a construct carrying out activities that we found enjoyable in proximity to each other and watching each other observe media. ART planned to stop at Preservation station so I could check in on Mensah's status. 

I had the impression that ART was going to ask if I would be sticking around more permanently, but that was the future and I don't have  _ Time Defenders Orion _ technology so I'd think about it when I got there.

Although, as I settled into my favorite chair to watch the first episode of _Journey to the Rim_ , a new media series about a group of settlers on a pre-corp generations ship, with ART looming over my feed, I thought that my answer would most likely be yes.

"You really don't understand the composition of your own motivations do you?" asked ART in a sarcastic way.

I leaned back into my chair and said, "If you'd rather watch something else we can."

"No, this is fine." We settled into watching the ridiculous and highly improbable story as ART traveled through a wormhole to our next destination.

**Author's Note:**

> The headers are the security control groups from the ISO 27001: International Standard for how to manage information security. May or may not resemble what it's in this story. I.e., not all security concepts lend themselves to a narrative, blah, blah, are a bit more complex and I skipped a certain amount of stuff (oh, where, oh where is Murderbot's privacy policy or data retention policy) https://en.wikipedia.org/wiki/ISO/IEC_27001  
> Big Encryption trends  
> https://thenextweb.com/contributors/2018/04/27/12-big-encryption-trends-will-keep-data-secure/  
> https://murderbot.fandom.com/wiki/Murderbot_Wiki  
> Also, RTFM - read the fucking manual.


End file.
